www.beyondsecurity.com beyond security ltd. port knocking beyond security noam rathaus cto sunday,...

24
www.BeyondSecurity.com www.BeyondSecurity.com www.SecurITeam.com www.SecurITeam.com Beyond Security Ltd. Beyond Security Ltd. Port Knocking Port Knocking Beyond Beyond Security Security Noam Rathaus Noam Rathaus CTO CTO Sunday, July 11, 2004 Sunday, July 11, 2004 Presentation on

Post on 22-Dec-2015

217 views

Category:

Documents


1 download

TRANSCRIPT

www.BeyondSecurity.comwww.BeyondSecurity.comwww.SecurITeam.comwww.SecurITeam.com

Beyond Security Ltd.Beyond Security Ltd.

Port K

nockingP

ort Knocking

Beyond SecurityBeyond Security

Noam RathausNoam RathausCTOCTO

Sunday, July 11, 2004Sunday, July 11, 2004

Presentation on

www.BeyondSecurity.comwww.BeyondSecurity.comwww.SecurITeam.comwww.SecurITeam.com

Beyond Security Ltd.Beyond Security Ltd.

Port K

nockingP

ort Knocking

ParadigmParadigm

• A perfectly secure system does not permit A perfectly secure system does not permit anyany external connections to it external connections to it

Such a computer, though protected, is impractical:Such a computer, though protected, is impractical:

• Nobody can connect, regardless of their trust Nobody can connect, regardless of their trust levellevel

• This essentially describes a computer that is This essentially describes a computer that is not networkednot networked

• These systems are not a lot of fun...These systems are not a lot of fun...

www.BeyondSecurity.comwww.BeyondSecurity.comwww.SecurITeam.comwww.SecurITeam.com

Beyond Security Ltd.Beyond Security Ltd.

Port K

nockingP

ort Knocking

Extension to ParadigmExtension to Paradigm

• Trusted user sees “a live host”Trusted user sees “a live host”• Permits connections from user to serverPermits connections from user to server

• Untrusted user sees “a dead host”Untrusted user sees “a dead host”• Connections to server are blockedConnections to server are blocked

How do we discriminate between trusted and How do we discriminate between trusted and untrusted users? Today this is done by untrusted users? Today this is done by Firewalls/VPN'sFirewalls/VPN's

www.BeyondSecurity.comwww.BeyondSecurity.comwww.SecurITeam.comwww.SecurITeam.com

Beyond Security Ltd.Beyond Security Ltd.

Port K

nockingP

ort Knocking

LimitationsLimitations

• Firewalls authorize access by IP Firewalls authorize access by IP address. Problems:address. Problems:

• Dynamic addressesDynamic addresses• Roaming usersRoaming users

• VPN's authorize by authentication. VPN's authorize by authentication. Problems:Problems:

• Needs complicated software (VPN client)Needs complicated software (VPN client)• VPN is per-network and not per-serviceVPN is per-network and not per-service

Port knocking to the rescue!Port knocking to the rescue!

www.BeyondSecurity.comwww.BeyondSecurity.comwww.SecurITeam.comwww.SecurITeam.com

Beyond Security Ltd.Beyond Security Ltd.

Port K

nockingP

ort Knocking

Introduction 1/4Introduction 1/4

• This illustration shows a This illustration shows a server which is running four server which is running four services and which has no services and which has no FirewallFirewall

• All ports are openAll ports are open• Remote computers will Remote computers will

successfully connect to four successfully connect to four ports: ftp/21, smtp/25, ports: ftp/21, smtp/25, http/80 and pop/110http/80 and pop/110

www.BeyondSecurity.comwww.BeyondSecurity.comwww.SecurITeam.comwww.SecurITeam.com

Beyond Security Ltd.Beyond Security Ltd.

Port K

nockingP

ort Knocking

Introduction 2/4Introduction 2/4

• Firewalled Server Firewalled Server listens on port ssh/22listens on port ssh/22

• Connections to the Connections to the server are server are seamlessly blocked seamlessly blocked to all usersto all users

• However, once a However, once a user completes a user completes a port knocking port knocking sequence, sequence, connections are connections are allowedallowed

www.BeyondSecurity.comwww.BeyondSecurity.comwww.SecurITeam.comwww.SecurITeam.com

Beyond Security Ltd.Beyond Security Ltd.

Port K

nockingP

ort Knocking

Introduction 3/4Introduction 3/4

• Port knocking is a method of establishing a Port knocking is a method of establishing a connection to a networked computer that connection to a networked computer that has no open portshas no open ports

• Before a connection is established, ports Before a connection is established, ports are opened using a port knock sequence, are opened using a port knock sequence, which is a series of connection attempts to which is a series of connection attempts to closed portsclosed ports

• A remote host generates and sends an A remote host generates and sends an authentic knock sequence in order to authentic knock sequence in order to manipulate the server's firewall rules to manipulate the server's firewall rules to open one or more specific portsopen one or more specific ports

www.BeyondSecurity.comwww.BeyondSecurity.comwww.SecurITeam.comwww.SecurITeam.com

Beyond Security Ltd.Beyond Security Ltd.

Port K

nockingP

ort Knocking

Introduction 4/4Introduction 4/4

• These manipulations are mediated by a These manipulations are mediated by a port knock daemon, running on the server, port knock daemon, running on the server, which monitors the firewall log file for which monitors the firewall log file for connection attempts which can be connection attempts which can be translated into authentic knock sequencestranslated into authentic knock sequences

• Once the desired ports are opened, the Once the desired ports are opened, the remote host can establish a connection remote host can establish a connection and begin a session. Another knock and begin a session. Another knock sequence may used to trigger the closing sequence may used to trigger the closing of the portof the port

www.BeyondSecurity.comwww.BeyondSecurity.comwww.SecurITeam.comwww.SecurITeam.com

Beyond Security Ltd.Beyond Security Ltd.

Port K

nockingP

ort Knocking

What is it good for?What is it good for?

• Port knocking is best for hosts that provide Port knocking is best for hosts that provide services to authorized users who require services to authorized users who require continual access to services and data from continual access to services and data from any locationany location

• Port knocking is Port knocking is not suitable for hostsnot suitable for hosts running public services, such as SMTP or running public services, such as SMTP or HTTPHTTP

• Port knocking is used to keep all ports Port knocking is used to keep all ports closed to public traffic while flexibly closed to public traffic while flexibly opening and closing ports to traffic from opening and closing ports to traffic from users who have authenticated themselves users who have authenticated themselves with a knock sequencewith a knock sequence

www.BeyondSecurity.comwww.BeyondSecurity.comwww.SecurITeam.comwww.SecurITeam.com

Beyond Security Ltd.Beyond Security Ltd.

Port K

nockingP

ort Knocking

What else?What else?

• This on-demand IP-based filtering This on-demand IP-based filtering which is triggered by a remote user which is triggered by a remote user can offers the advantages of IP-can offers the advantages of IP-based filtering without the limitation based filtering without the limitation usually associated with maintaining usually associated with maintaining IP rulesIP rules

www.BeyondSecurity.comwww.BeyondSecurity.comwww.SecurITeam.comwww.SecurITeam.com

Beyond Security Ltd.Beyond Security Ltd.

Port K

nockingP

ort Knocking

What isn’t it?What isn’t it?

• Port knocking cannot be used to Port knocking cannot be used to protect public services - such protect public services - such protection cannot be effective if the protection cannot be effective if the knock sequence, or a method to knock sequence, or a method to generate it, is made publicgenerate it, is made public

www.BeyondSecurity.comwww.BeyondSecurity.comwww.SecurITeam.comwww.SecurITeam.com

Beyond Security Ltd.Beyond Security Ltd.

Port K

nockingP

ort Knocking

Why is it so exciting?Why is it so exciting?

• Port knocking is not a listening service Port knocking is not a listening service – it is not exposed to network attacks– it is not exposed to network attacks

• There is no way to detect a port-There is no way to detect a port-knocking server (unlike a firewall that knocking server (unlike a firewall that can be detected)can be detected)

• The port seems closed – because The port seems closed – because they are closed!they are closed!

• In security, simple mechanism = In security, simple mechanism = less probability for weaknessesless probability for weaknesses

www.BeyondSecurity.comwww.BeyondSecurity.comwww.SecurITeam.comwww.SecurITeam.com

Beyond Security Ltd.Beyond Security Ltd.

Port K

nockingP

ort Knocking

Why not just a Firewall?Why not just a Firewall?

• Firewalls define and limit the Firewalls define and limit the communication possible within a networkcommunication possible within a network

• System administrators tend to be paranoid System administrators tend to be paranoid (good!) and need to enforce limits to help (good!) and need to enforce limits to help monitoring and troubleshootingmonitoring and troubleshooting

• Unless you are very familiar with your Unless you are very familiar with your operating system, you may not be aware operating system, you may not be aware of all the services running on your of all the services running on your computercomputer

www.BeyondSecurity.comwww.BeyondSecurity.comwww.SecurITeam.comwww.SecurITeam.com

Beyond Security Ltd.Beyond Security Ltd.

Port K

nockingP

ort Knocking

SummarizeSummarize

• Port knocking can be used whenever there Port knocking can be used whenever there is a need to transfer information across is a need to transfer information across closed portsclosed ports• The port knock daemon can be implemented to The port knock daemon can be implemented to

respond in any suitable way to an authentic respond in any suitable way to an authentic port knockport knock

• The knock may be used to communicate the The knock may be used to communicate the knock information silently and/or to trigger an knock information silently and/or to trigger an action. This is a form of IP over closed portsaction. This is a form of IP over closed ports

www.BeyondSecurity.comwww.BeyondSecurity.comwww.SecurITeam.comwww.SecurITeam.com

Beyond Security Ltd.Beyond Security Ltd.

Port K

nockingP

ort Knocking

Simple ImplementationSimple Implementation

• The simplest implementation of port The simplest implementation of port knocking uses a log file to interface with knocking uses a log file to interface with the firewall softwarethe firewall software

• This simple approach makes port knocking This simple approach makes port knocking highly accessible for home usershighly accessible for home users

• The protected services do not require any The protected services do not require any modificationmodification

• This form of port knocking is relatively This form of port knocking is relatively easy to set upeasy to set up

www.BeyondSecurity.comwww.BeyondSecurity.comwww.SecurITeam.comwww.SecurITeam.com

Beyond Security Ltd.Beyond Security Ltd.

Port K

nockingP

ort Knocking

Best PracticeBest Practice

• Port knocking is ideally suitable for Port knocking is ideally suitable for remote administration provided by a remote administration provided by a latent, on-demand SSH service. In latent, on-demand SSH service. In other cases port knocking may not be other cases port knocking may not be the right answerthe right answer

www.BeyondSecurity.comwww.BeyondSecurity.comwww.SecurITeam.comwww.SecurITeam.com

Beyond Security Ltd.Beyond Security Ltd.

Port K

nockingP

ort Knocking

Some HistorySome History

• cd00r / SAdoorcd00r / SAdoor• cd00r.c and SAdoor are working proof-of-cd00r.c and SAdoor are working proof-of-

concept codes for a not listening remote shell concept codes for a not listening remote shell on UN*X systemson UN*X systems

• A listener in non-promiscuous mode looking for A listener in non-promiscuous mode looking for a specific sequence of packets before actually a specific sequence of packets before actually opening any kind of listener. opening any kind of listener.

• This sequence can be any kind of IP traffic for This sequence can be any kind of IP traffic for obscurityobscurity

• Used primarily as stealth backdoorsUsed primarily as stealth backdoors

www.BeyondSecurity.comwww.BeyondSecurity.comwww.SecurITeam.comwww.SecurITeam.com

Beyond Security Ltd.Beyond Security Ltd.

Port K

nockingP

ort Knocking

What is needed?What is needed?

• knockclient knockclient • a port knocking client responsible for a port knocking client responsible for

sending knocks to remote firewall where sending knocks to remote firewall where a knockdaemon is listeninga knockdaemon is listening

• knockdaemonknockdaemon• a port knocking server responsible for a port knocking server responsible for

monitoring and responding to incoming monitoring and responding to incoming knocks generated by knockclientknocks generated by knockclient

www.BeyondSecurity.comwww.BeyondSecurity.comwww.SecurITeam.comwww.SecurITeam.com

Beyond Security Ltd.Beyond Security Ltd.

Port K

nockingP

ort Knocking

Port Knocking Client Port Knocking Client “Flavors”“Flavors”

• There are port knocking There are port knocking implementations in Perl, C/C++, implementations in Perl, C/C++, Java, python and even BASHJava, python and even BASH

• The easiest to implement is Python, The easiest to implement is Python, Perl and BASHPerl and BASH

• The implementation use the logs The implementation use the logs generated by IPTABLES to discover generated by IPTABLES to discover when someone knocked on the when someone knocked on the Firewall in the right wayFirewall in the right way

www.BeyondSecurity.comwww.BeyondSecurity.comwww.SecurITeam.comwww.SecurITeam.com

Beyond Security Ltd.Beyond Security Ltd.

Port K

nockingP

ort Knocking

What’s next? 1/3What’s next? 1/3

• Suppose you have a networked system Suppose you have a networked system and you need to connect using sshand you need to connect using ssh

• To close all other ports, use:To close all other ports, use:ipchains -p tcp -s 0/0 -d FIREWALL/32 -p 0:1023 -j DENY -lipchains -p tcp -s 0/0 -d FIREWALL/32 -p 0:1023 -j DENY -l

ipchains -p tcp -s 0/0 -d FIREWALL/32 -p 1024:49151 -j DENYipchains -p tcp -s 0/0 -d FIREWALL/32 -p 1024:49151 -j DENY

• Each connection attempt will be logged: Each connection attempt will be logged: Feb 12 00:13:26 ... input DENY ... CLIENT:64137 FIREWALL:102 ...Feb 12 00:13:26 ... input DENY ... CLIENT:64137 FIREWALL:102 ...

Feb 12 00:13:27 ... input DENY ... CLIENT:64138 FIREWALL:100 ...Feb 12 00:13:27 ... input DENY ... CLIENT:64138 FIREWALL:100 ...

Feb 12 00:13:27 ... input DENY ... CLIENT:64139 FIREWALL:100 ...Feb 12 00:13:27 ... input DENY ... CLIENT:64139 FIREWALL:100 ...

Feb 12 00:13:28 ... input DENY ... CLIENT:64140 FIREWALL:103 ...Feb 12 00:13:28 ... input DENY ... CLIENT:64140 FIREWALL:103 ...

www.BeyondSecurity.comwww.BeyondSecurity.comwww.SecurITeam.comwww.SecurITeam.com

Beyond Security Ltd.Beyond Security Ltd.

Port K

nockingP

ort Knocking

What’s next? 2/3What’s next? 2/3

• A daemon monitoring the log file can A daemon monitoring the log file can detect these connection attempts to ports detect these connection attempts to ports 102, 100, 100, 103 from the same IP 102, 100, 100, 103 from the same IP addressaddress

• This particular port sequence could trigger This particular port sequence could trigger the daemon to open port ssh/22the daemon to open port ssh/22

• The daemon would execute the following The daemon would execute the following commandcommand

ipchains -I input -p tcp -s CLIENT/32 -d FIREWALL/32 22 -j ACCEPTipchains -I input -p tcp -s CLIENT/32 -d FIREWALL/32 22 -j ACCEPT

www.BeyondSecurity.comwww.BeyondSecurity.comwww.SecurITeam.comwww.SecurITeam.com

Beyond Security Ltd.Beyond Security Ltd.

Port K

nockingP

ort Knocking

What’s next 3/3What’s next 3/3

• Another sequence can be used to close the portAnother sequence can be used to close the port• For example, 103, 100, 100, 102 could be used to For example, 103, 100, 100, 102 could be used to

trigger the deletion of the rule that was trigger the deletion of the rule that was dynamically created to allow CLIENT to connectdynamically created to allow CLIENT to connect

ipchains -D input -p tcp -s CLIENT/32 -d FIREWALL/32 22 -j ACCEPTipchains -D input -p tcp -s CLIENT/32 -d FIREWALL/32 22 -j ACCEPT

• In this example, a remote user has opened port In this example, a remote user has opened port ssh/22 to IP address CLIENT by making TCP ssh/22 to IP address CLIENT by making TCP connections to ports 102, 100, 100, 103 and connections to ports 102, 100, 100, 103 and subsequently closed the ssh/22 port to their IP by subsequently closed the ssh/22 port to their IP by knocking on ports 103, 100, 100, 102knocking on ports 103, 100, 100, 102

www.BeyondSecurity.comwww.BeyondSecurity.comwww.SecurITeam.comwww.SecurITeam.com

Beyond Security Ltd.Beyond Security Ltd.

Port K

nockingP

ort Knocking

EnhancementsEnhancements

• Encrypted Port KnocksEncrypted Port Knocks• The 4-port knocks in the previous example The 4-port knocks in the previous example

provided limited protection against packet provided limited protection against packet sniffing, since the knock was independent of sniffing, since the knock was independent of the connecting IP addressthe connecting IP address

• Anyone on the network looking at packets Anyone on the network looking at packets could reconstruct the sequence and use it to could reconstruct the sequence and use it to gain access to the ssh/22 portgain access to the ssh/22 port

• In order to reduce the risk of the knock being In order to reduce the risk of the knock being deconstructed and gainfully executed by a deconstructed and gainfully executed by a third-party, it should contain the client IP third-party, it should contain the client IP address and be encryptedaddress and be encrypted

www.BeyondSecurity.comwww.BeyondSecurity.comwww.SecurITeam.comwww.SecurITeam.com

Beyond Security Ltd.Beyond Security Ltd.

Port K

nockingP

ort Knocking

Questions?

[email protected]@beyondsecurity.com